As Mathias Krausse pointed out, the ‘msg_namelen’ member of the ‘msghdr’ structure remains uninitialized resulting in kernel information leak. Below is how this structure is defined in include/linux/socket.h header file.

Share this:

Related

2 Responses

What’s missing in the article IMHO, is the location of the leak itself: the call to move_addr_to_user() in net/socket.c:__sys_recvmsg()/sys_recvfrom(). It takes the user supplied msg_namelen value capped at sizeof(struct sockaddr_storage) as upper bound for the user copy of the (uninitialized) sockaddr_storage stack variable. Therefore the fix for IrDa was only one of many.

It’s Mathias Krause, btw. But you weren’t the only one that got it wrong. :/